How the FBI Could Have Hacked the San Bernardino Shooter’s iPhone

WIRED

More than six months have passed since the FBI first ordered Apple to help the agency bypass the encryption on the iPhone 5c of Rizwan Syed Farook, an ISIS supporter who with his wife killed 14 people in San Bernardino before dying in a shootout with police. But the shockwave is still resonating through the security community. The FBI claimed it had no other way of accessing the device’s data. Now one researcher says he’s proven the FBI wrong, showing that any sufficiently skilled hardware hacker could have accessed Farook’s phone with less than $100 in equipment.

On Wednesday, Cambridge University security researcher Sergei Skorobogatov published a paper detailing a method known as NAND mirroring that bypasses the iPhone 5c’s PIN code security measures. The technique was widely discussed during Apple’s dustup with the FBI, which claimed that the process wouldn’t work. Skorobogatov demonstrated otherwise by carefully removing the NAND memory chip from the phone’s circuit board and repeatedly rewriting the data that tracks how many times incorrect PINs have been tried on the phone’s lockscreen. Freed from the iPhone’s restrictions that permanently lock the phone after ten incorrect PIN entries, he showed that an attacker with cheap hardware could try every possible four-digit PIN in less than 24 hours. “This is the first public demonstration of…the real hardware mirroring process for iPhone 5c,” Skorobogatov writes. “Any attacker with sufficient technical skills could repeat the experiments.”

Skorobogatov’s technique hardly represents a threat to current iPhones, since he pulled it off only on a 5c. Later models use different hardware that renders the hack far more difficult. But his research shows that the FBI’s claim that the technique wouldn’t work was at best mistaken and at worst was an attempt to set a legal precedent to force tech companies to cooperate in hacking their own devices. The FBI convinced a California magistrate to order Apple to help unlock Farook’s phone, based on the argument that it had no other option to break the device’s security protections. “We show that claims that iPhone 5c NAND mirroring was infeasible were ill-advised,” Skorobogatov states in his paper. “Despite government comments about feasibility of the NAND mirroring for iPhone 5c it [has] now proved to be fully working.”

Here’s how Skorobogatov’s painstaking NAND mirroring method works: He began by separating the iPhone’s tiny NAND memory chip from the phone’s circuit board, heating it to weaken the epoxy holding it in place and then cutting it off with a thin-blade knife. Skorobogatov then carved a hole in the back of the phone and wired a connector through the hole that allowed the memory chip to be attached and removed at will. He then built his own eavesdropping device that intercepted signals between the phone and the memory chip in order to reverse engineer how the phone wrote information to the chip, pictured below.

Skorobogatov’s “eavesdropping” attachment, which helped him reverse engineer how the iPhone wrote data to the NAND chip he’d removed from the phone’s internals.Sergei Skorobogatov

After that step, Skorobogatov was able to move the chip to a test board that allowed him to back up the NAND chip’s data to a different chip. Then he reconnected the original chip to the phone, guessed a series of six PINs, then moved it back to the test board to overwrite the memory chip with the backup that “zeroed” the PIN-guess counter, like a shady mechanic rolling back a car’s odometer. Repeating that technique, he determined that he could try a collection of six PIN guesses in about 90 seconds, or all possible pins in around 40 hours. But he writes that a better prepared and resourced hacker could clone thousands of copies of the chip in its original state before any guesses have been attempted and simply swap those in rather than rewriting the same chip’s data. That cloning method, he writes, would be far faster, giving the attacker the correct four-digit code in just 20 hours, and even cracking six-digit PINs in about three months, by his estimate.

Skorobogatov points out that the technique could be streamlined and automated, using a USB keyboard to type the PIN guesses from a programmed script. “This could be developed into a fully automatic setup and used as a tool for brute-forcing passcodes in real devices,” Skorobogatov says. “For a four-digit PIN, it can be done in less than a day.”

Skorobogatov’s method overcame plenty of technical hurdles, including the finicky electrical engineering challenge of wiring a chip outside an iPhone’s frame. But the information security research community has long believed the technique to be possible and repeatedly proposed it to the FBI as an alternative to its demand that Apple create a new version of its firmware that would allow law enforcement to bypass the PIN code restrictions. Forensics expert and iOS hacker Jonathan Zdziarski, for instance, demonstrated a partial proof-of-concept version of the attack in March that worked only on a jailbroken iPhone with some security measures disabled. Representative Darrell Issa asked FBI director James Comey about the technique in a congressional hearing, as shown in the clip below.

The FBI eventually dropped its case against Apple after declaring that one of its contractors had found a way to break the phone’s security. But iPhone hacker Zdziarski says that Skorobogatov’s results indicate either incompetence or willful ignorance on the part of an agency that was hoping to instead set a precedent for tech companies’ cooperation with law enforcement. “This really shows the FBI was lacking in its research and due diligence,” Zdziarski says. “Setting the precedent was more important than doing the research.”

But the NAND mirroring method may have still been impractical for the FBI, counters Matthew Green, a computer science professor and cryptographer at Johns Hopkin University. “Everyone I know who was trying it couldn’t get past the fact that it required incredible soldering abilities,” he says. Green argues that the technique might have scared off FBI officials who worried about the danger of permanently damaging the hardware of Farook’s phone. “You could fry the chip.”

Skorobogatov agrees that the FBI likely paid its still-unnamed contractor for a different method to hack Farook’s iPhone, one that exploited only software vulnerabilities in order to avoid any risk of collateral damage from removing the phone’s NAND chip. But he maintains that the technique isn’t hard for an experienced hardware hacker, or even a skilled iPhone repair technician. “The more chips you de-solder, the more experienced you become,” he says. “When you’ve done it hundreds of times, it’s a streamlined process.”

For Zdziarski, that doesn’t leave the FBI any excuses. “If one researcher can accomplish this relatively quickly,” he says, “I would think a team of FBI forensics experts with the right hardware and resources could do it even faster.”